Malware analysis lab

What is a malware analysis lab, and why should we build a malware lab? Malware lab is a safe environment to analyze malware. Basically, it is an isolated environment which contains a lot of useful tools for malware analysts that helps them in analyzing the malicious software. We should build a malware lab to be more proactive to new and modern threats that can suddenly attack our organization. It is also a form of advanced detection before antivirus vendors found a new malware specimen. The scope of the malware analysis lab can be determined by examining the processes that will occur in the malware analysis process.

Static analysis involves disassembling and reverse engineering the code of the malware. This can be done in a static state where the code is analyzed without being executed. No complex configuration is required for the lab, because actually you won't execute the malware itself. This lab is provided just to safeguard if you accidentally execute the binary malware when you are performing the code analysis. For dynamic analysis, you need to set up a more complex lab, as you need to execute the malware. Malware behaves differently depending on the operating system environment where they are being executed.

You should pay more attention regarding the location of malware analysis hosts on your network. Trojan, worms, and other types of malware can be self-replicating, so it's highly likely that simply running an executable code on a production network can lead to another machine on the same network being infected.

Setting up a malware analysis lab is actually quite simple and requires a minimum amount of hardware. Isolating your malware analysis lab from other computers in the network is not enough. In addition, you also need to isolate your lab from the Internet if you are not sure. You should consider this option, because sometimes a malware needs to communicate with the malware author server, for example, Botnet command and control servers.

There are two options in building a malware analysis lab, that is, a physical environment and a virtualization environment. As mentioned earlier, both of them have advantages and disadvantages. Building your physical lab will require a lot of money and time in building the environment as well. In this situation, building a malware lab using the virtualization technique will save your money and time. Virtualization software allows you to save the state of a virtual machine as it runs so that you can revert back to it when necessary. This term is usually called snapshot. Using this snapshots feature, you can have a virtual machine environment that contains an operating system with a full set of weapons of dynamic and static analysis tools, and then perform a dynamic analysis with the malware, and finally you can save the session using the snapshot feature so that you can load the initial infected state at will. After finishing your malware analysis, you can choose to save or discard that snapshot and revert back to a clean image. Then, using the snapshot feature, you do not have to worry about malware that will infect your Guest OS, as you will be able to easily restore to the previous state.

From now on, you can be aware that the automated analyses of malware, which uses virtualization in operating systems, will help you to shorten the time in analyzing malware samples. Virtualization technologies have become a key component in automated malware analyses because of the cost effectiveness in hardware consumption and CPU resource utilization. By using a popular operating system and intentionally infecting it with a captured malware sample, it is generally useful to monitor the activities of the malware and determine the suspicious activities that occurs. The drawback of implementing automated malware analysis is that this method can be easily detected by malware writers as it frequently uses evasion techniques such as anti-debugging, packers, encryption, obfuscating code, and so on. But you can try to hide as many virtualization traces as possible. There is a lot of information on the Internet regarding virtualization detection techniques and countermeasures of malware analysis.